Joe McDonnell created IMPALA-13381:
--------------------------------------
Summary: Impala LDAP bind should check for password expiration
Key: IMPALA-13381
URL: https://issues.apache.org/jira/browse/IMPALA-13381
Project: IMPALA
Issue Type: Bug
Components: Backend, Security
Affects Versions: Impala 4.5.0
Reporter: Joe McDonnell
When LDAP is configured, Impala uses LDAP bind to check if a user can connect.
When a user has an expired password, bind still succeeds, because a user would
need to bind with the old password to change their password themselves. There
are ways to lock out a user with an expired password, but then the user needs
to ask the administrator to set a new password.
LDAP bind can request that the LDAP server provide information about password
expiration in its return. Impala should request this and reject users with
expired passwords.
In code, this involves adding a passwordpolicyrequest LDAP control to the bind,
which tells the server to respond with password information. Then, the response
will have an LDAP control that can be parsed with
ldap_parse_passwordpolicy_control().
The LDAP commandline tool has code that does this:
# Setting up the LDAPControl to pass into ldap_sasl_bind():
[https://github.com/openldap/openldap/blob/OPENLDAP_REL_ENG_2_4_47/clients/tools/common.c#L1391-L1407]
# The tool uses ldap_sasl_bind() + ldap_result() + ldap_parse_result() to get
the result back:
[https://github.com/openldap/openldap/blob/OPENLDAP_REL_ENG_2_4_47/clients/tools/common.c#L1502-L1531]
# Then, it reads off the password policy information and prints out the
message:
[https://github.com/openldap/openldap/blob/OPENLDAP_REL_ENG_2_4_47/clients/tools/common.c#L1533-L1562]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
